Advantech WebAccess HMI Designer

Act Now9.8ICS-CERT ICSA-20-219-02Aug 6, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WebAccess HMI Designer versions 2.1.9.31 and earlier contain multiple memory corruption vulnerabilities (CWE-122, CWE-125, CWE-787, CWE-843, CWE-121, CWE-415) that could allow remote code execution without authentication. Successful exploitation could allow an attacker to read or modify information, execute arbitrary code, and crash the application. No public exploits are currently known.

What this means

What could happen

An attacker could execute arbitrary code on a workstation running WebAccess HMI Designer, allowing them to read or modify HMI project files, disrupt the design/engineering process, or potentially inject malicious logic into control systems before deployment.

Who's at risk

Manufacturing facilities using Advantech WebAccess HMI Designer should prioritize this issue. The affected software is used on engineering workstations to design human-machine interfaces for control systems. Compromised HMI projects could be deployed to production PLCs or SCADA systems, affecting process monitoring and control.

How it could be exploited

An attacker with network access to a system running WebAccess HMI Designer version 2.1.9.31 or earlier could exploit memory corruption vulnerabilities (buffer overflow, out-of-bounds read) to achieve remote code execution without authentication. The attacker would send specially crafted network packets or files to trigger the vulnerability.

Prerequisites

Network access to the WebAccess HMI Designer application (typically on engineering workstations, accessible if workstations are exposed to untrusted networks)
WebAccess HMI Designer version 2.1.9.31 or earlier installed

remotely exploitableno authentication requiredlow complexityaffects engineering/design toolshigh CVSS score (9.8)

Exploitability

Moderate exploit probability (EPSS 2.6%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess HMI Designer:≤ 2.1.9.312.1.9.81

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate engineering workstations running WebAccess HMI Designer from untrusted networks using network segmentation or firewall rules

HARDENINGRestrict network access to WebAccess HMI Designer ports to only authorized engineering networks

WORKAROUNDDo not open unsolicited email attachments or click untrusted links on engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WebAccess HMI Designer to version 2.1.9.81 or later

CVEs (6)

CVE-2020-16207 CVE-2020-16211 CVE-2020-16213 CVE-2020-16229 CVE-2020-16215 CVE-2020-16217

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d372ffdf-c527-4b0b-a633-a51ae6bd002d